Posted
by
timothyon Thursday April 24, 2014 @08:48AM
from the and-moving-forward-henceforth dept.

wiredmikey (1824622) writes "Technology giants including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure. The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow. The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site."

Say what you want about Theo or the name his team has chosen but I think I'd rather give my money to OpenBSD's LibreSSL project than donate to this.

I get that they are probably just after the good will and PR that this will generate, and that this isn't some vast conspiracy against open source, but I don't trust one of the companies on that list to give a care once public attention to heartbleed dies off.

Pick a project and donate directly, don't let these giants pick and choose for us!

So while these people have been doodling around forming initiatives and getting their logos splattered all over a web page, the OpenBSD people have actually founded the LibreSSL project and started actually overhauling the OpenSSL library, including fixing bugs that have been in the OpenSSL queue for years, not to mention finding a metric assload of new ones.

Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

But hey, actually doing work like fixing bugs and etc is not nearly as glamorous as making press releases and having a hudge wodge of logos.

Leaving aside the fact that OpenSSL is not a "BSD package that kindly ported to Linux", I suggest it's rather more arrogant to assume that the world will rush to replace OpenSSL with Theo De Raadt's LibreSSL when (if) it becomes available.

OpenSSL is not fundamentally broken. It had a bug, albeit one with big consequences. Lots of people depend on OpenSSL and it needs to properly maintained. Paying people to work on opensource projects is nothing new and if this funding supports developers with the necessary cryptographic skills devoting quality time to maintaining OpenSSL then that's a good thing.

Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

The best choice is to fund LibreSSL and another project or two to do the same thing. Thoroughly vetting and fixing OpenSSL is a good thing. Getting a couple of solid, API-compatible competitors in the same space is even better, to reduce the monoculture problem, and to create competition.

Also, LibreSSL is just about OpenSSL. This initiative is supposed to be a long-term, ongoing effort to improve other widely-used open source software packages as well. Doing it through the Linux Foundation makes sense to me, too, mostly because it's an already-established example of exactly what the initiative wants to do to other open source packages. Linux is collaboratively developed by many companies (plus a few individual contributions) for the mutual benefit of all, and that model can and should be applied to other pieces of important open source infrastructure.

This is a good idea. It may or may not be a better approach to fixing OpenSSL (which, incidentally, has terrified me for years) than LibreSSL, but it's good for OpenSSL and for other projects. These companies can donate what to them is peanuts (and a tax writeoff to boot), and in return the world as a whole will get improvements in fundamental computing infrastructure.

I do have to say I'm surprised (and pleased) to see Microsoft's name in the list. Google is no surprise; Google uses open source software heavily and has a long history of supporting it. Intel has been involved in OSS for years, too, since they're just as happy to sell hardware to run OSS as anything else. Cisco also uses open source software and has a clear interest in the health of the networking ecosystem. But Microsoft has in the past been a serious opponent of OSS, doing various things to try to undermine it, some openly and some rather underhanded. Lately the company has been divided on the question, in some cases supporting and/or benefitting from OSS while the other hand is trying to squash it, but I think Microsoft is gradually coming around, beginning to admit that OSS is not only here to stay, but that it has a valid and valuable place.